Imported Upstream version 4.5.2

6 files changed, 122 insertions, 15 deletions

diff --git a/man/Makefile.in b/man/Makefile.in
index f0d8cde7d..679e3464b 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -219,6 +219,8 @@ nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
 p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
@@ -242,6 +244,7 @@ soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
 target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
index 1b74fab08..b36a7ece7 100644
--- a/man/ipsec.conf.5
+++ b/man/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2010-10-19" "4.5.1" "strongSwan"
+.TH IPSEC.CONF 5 "2010-10-19" "4.5.2" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -409,12 +409,20 @@ comma-separated list of ESP encryption/authentication algorithms to be used
 for the connection, e.g.
 .BR aes128-sha256 .
 The notation is
-.BR encryption-integrity-[dh-group] .
+.BR encryption-integrity[-dhgroup][-esnmodes] .
 .br
 If
 .B dh-group
 is specified, CHILD_SA setup and rekeying include a separate diffe hellman
-exchange (IKEv2 only).
+exchange (IKEv2 only). Valid
+.B esnmodes
+(IKEv2 only) are
+.B esn
+and
+.B noesn.
+Specifying both negotiates Extended Sequence number support with the peer,
+the defaut is
+.B noesn.
 .TP
 .BR forceencaps " = yes | " no
 force UDP encapsulation for ESP packets even if no NAT situation is detected.
@@ -1035,8 +1043,11 @@ is not given, the
 of this connection will be used as peer ID.
 
 .SH "CA SECTIONS"
-This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA).
+These are optional sections that can be used to assign special
+parameters to a Certification Authority (CA). Because the daemons
+automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
+there is no need to explicitly add them with a CA section, unless you
+want to assign special parameters (like a CRL) to a CA.
 .TP
 .BR also " = <name>"
 includes ca section
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 9a789acef..295100444 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -409,12 +409,20 @@ comma-separated list of ESP encryption/authentication algorithms to be used
 for the connection, e.g.
 .BR aes128-sha256 .
 The notation is
-.BR encryption-integrity-[dh-group] .
+.BR encryption-integrity[-dhgroup][-esnmodes] .
 .br
 If
 .B dh-group
 is specified, CHILD_SA setup and rekeying include a separate diffe hellman
-exchange (IKEv2 only).
+exchange (IKEv2 only). Valid
+.B esnmodes
+(IKEv2 only) are
+.B esn
+and
+.B noesn.
+Specifying both negotiates Extended Sequence number support with the peer,
+the defaut is
+.B noesn.
 .TP
 .BR forceencaps " = yes | " no
 force UDP encapsulation for ESP packets even if no NAT situation is detected.
@@ -1035,8 +1043,11 @@ is not given, the
 of this connection will be used as peer ID.
 
 .SH "CA SECTIONS"
-This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA).
+These are optional sections that can be used to assign special
+parameters to a Certification Authority (CA). Because the daemons
+automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
+there is no need to explicitly add them with a CA section, unless you
+want to assign special parameters (like a CRL) to a CA.
 .TP
 .BR also " = <name>"
 includes ca section
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
index 3eb60afcf..993b2ad10 100644
--- a/man/ipsec.secrets.5
+++ b/man/ipsec.secrets.5
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.1" "strongSwan"
+.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.2" "strongSwan"
 .SH NAME
 ipsec.secrets \- secrets for IKE/IPsec authentication
 .SH DESCRIPTION
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
index 2e58a87d0..e1e4dbe91 100644
--- a/man/strongswan.conf.5
+++ b/man/strongswan.conf.5
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.1" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.2" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -204,6 +204,9 @@ Delay request messages
 .BR charon.receive_delay_type " [0]"
 Specific IKEv2 message type to delay, 0 for any
 .TP
+.BR charon.replay_window " [32]"
+Size of the AH/ESP replay window, in packets.
+.TP
 .BR charon.retransmit_base " [1.8]"
 Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
 .TP
@@ -257,6 +260,9 @@ Derive user-defined MAC address from hash of IKEv2 identity
 .BR charon.plugins.dhcp.server " [255.255.255.255]"
 DHCP server unicast or broadcast IP address
 .TP
+.BR charon.plugins.duplicheck.enable " [yes]"
+enable loaded duplicheck plugin
+.TP
 .BR charon.plugins.eap-aka.request_identity " [yes]"
 
 .TP
@@ -265,6 +271,29 @@ DHCP server unicast or broadcast IP address
 .TP
 .BR charon.plugins.eap-gtc.pam_service " [login]"
 PAM service to be used for authentication
+
+.TP
+.BR charon.plugins.eap-peap.fragment_size " [1024]"
+Maximum size of an EAP-PEAP packet
+.TP
+.BR charon.plugins.eap-peap.max_message_count " [32]"
+Maximum number of processed EAP-PEAP packets
+.TP
+.BR charon.plugins.eap-peap.include_length " [no]"
+Include length in non-fragmented EAP-PEAP packets
+.TP
+.BR charon.plugins.eap-peap.phase2_method " [mschapv2]"
+Phase2 EAP client authentication method
+.TP
+.BR charon.plugins.eap-peap.phase2_piggyback " [no]"
+Phase2 EAP Identity request piggybacked by server onto TLS Finished message
+.TP
+.BR charon.plugins.eap-peap.phase2_tnc " [no]"
+Start phase2 EAP TNC protocol after successful client authentication
+.TP
+.BR charon.plugins.eap-peap.request_peer_auth " [no]"
+Request peer authentication based on a client certificate
+
 .TP
 .BR charon.plugins.eap-radius.class_group " [no]"
 Use the
@@ -284,7 +313,7 @@ If the RADIUS
 attribute with value
 .B ESP
 is received, use the
-.I filter_id 
+.I filter_id
 attribute sent in the RADIUS-Accept message as group membership information that
 is compared to the groups specified in the
 .B rightgroups
@@ -339,18 +368,27 @@ Maximum size of an EAP-TLS packet
 .BR charon.plugins.eap-tls.max_message_count " [32]"
 Maximum number of processed EAP-TLS packets
 .TP
+.BR charon.plugins.eap-tls.include_length " [yes]"
+Include length in non-fragmented EAP-TLS packets
+.TP
 .BR charon.plugins.eap-tnc.fragment_size " [50000]"
 Maximum size of an EAP-TNC packet
 .TP
 .BR charon.plugins.eap-tnc.max_message_count " [10]"
 Maximum number of processed EAP-TNC packets
 .TP
+.BR charon.plugins.eap-tnc.include_length " [yes]"
+Include length in non-fragmented EAP-TNC packets
+.TP
 .BR charon.plugins.eap-ttls.fragment_size " [1024]"
 Maximum size of an EAP-TTLS packet
 .TP
 .BR charon.plugins.eap-ttls.max_message_count " [32]"
 Maximum number of processed EAP-TTLS packets
 .TP
+.BR charon.plugins.eap-ttls.include_length " [yes]"
+Include length in non-fragmented EAP-TTLS packets
+.TP
 .BR charon.plugins.eap-ttls.phase2_method " [md5]"
 Phase2 EAP client authentication method
 .TP
@@ -382,7 +420,7 @@ Request peer authentication based on a client certificate
 
 .TP
 .BR charon.plugins.ha.remote
- 
+
 .TP
 .BR charon.plugins.ha.resync " [yes]"
 
@@ -425,6 +463,9 @@ TNC IMC configuration directory
 .TP
 .BR charon.plugins.tnc-imv.tnc_config " [/etc/tnc_config]"
 TNC IMV configuration directory
+.TP
+.BR charon.plugins.whitelist.enable " [yes]"
+enable loaded whitelist plugin
 .SS libstrongswan section
 .TP
 .BR libstrongswan.crypto_test.bench " [no]"
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 47aa6d552..2d7475225 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -204,6 +204,9 @@ Delay request messages
 .BR charon.receive_delay_type " [0]"
 Specific IKEv2 message type to delay, 0 for any
 .TP
+.BR charon.replay_window " [32]"
+Size of the AH/ESP replay window, in packets.
+.TP
 .BR charon.retransmit_base " [1.8]"
 Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
 .TP
@@ -257,6 +260,9 @@ Derive user-defined MAC address from hash of IKEv2 identity
 .BR charon.plugins.dhcp.server " [255.255.255.255]"
 DHCP server unicast or broadcast IP address
 .TP
+.BR charon.plugins.duplicheck.enable " [yes]"
+enable loaded duplicheck plugin
+.TP
 .BR charon.plugins.eap-aka.request_identity " [yes]"
 
 .TP
@@ -265,6 +271,29 @@ DHCP server unicast or broadcast IP address
 .TP
 .BR charon.plugins.eap-gtc.pam_service " [login]"
 PAM service to be used for authentication
+
+.TP
+.BR charon.plugins.eap-peap.fragment_size " [1024]"
+Maximum size of an EAP-PEAP packet
+.TP
+.BR charon.plugins.eap-peap.max_message_count " [32]"
+Maximum number of processed EAP-PEAP packets
+.TP
+.BR charon.plugins.eap-peap.include_length " [no]"
+Include length in non-fragmented EAP-PEAP packets
+.TP
+.BR charon.plugins.eap-peap.phase2_method " [mschapv2]"
+Phase2 EAP client authentication method
+.TP
+.BR charon.plugins.eap-peap.phase2_piggyback " [no]"
+Phase2 EAP Identity request piggybacked by server onto TLS Finished message
+.TP
+.BR charon.plugins.eap-peap.phase2_tnc " [no]"
+Start phase2 EAP TNC protocol after successful client authentication
+.TP
+.BR charon.plugins.eap-peap.request_peer_auth " [no]"
+Request peer authentication based on a client certificate
+
 .TP
 .BR charon.plugins.eap-radius.class_group " [no]"
 Use the
@@ -284,7 +313,7 @@ If the RADIUS
 attribute with value
 .B ESP
 is received, use the
-.I filter_id 
+.I filter_id
 attribute sent in the RADIUS-Accept message as group membership information that
 is compared to the groups specified in the
 .B rightgroups
@@ -339,18 +368,27 @@ Maximum size of an EAP-TLS packet
 .BR charon.plugins.eap-tls.max_message_count " [32]"
 Maximum number of processed EAP-TLS packets
 .TP
+.BR charon.plugins.eap-tls.include_length " [yes]"
+Include length in non-fragmented EAP-TLS packets
+.TP
 .BR charon.plugins.eap-tnc.fragment_size " [50000]"
 Maximum size of an EAP-TNC packet
 .TP
 .BR charon.plugins.eap-tnc.max_message_count " [10]"
 Maximum number of processed EAP-TNC packets
 .TP
+.BR charon.plugins.eap-tnc.include_length " [yes]"
+Include length in non-fragmented EAP-TNC packets
+.TP
 .BR charon.plugins.eap-ttls.fragment_size " [1024]"
 Maximum size of an EAP-TTLS packet
 .TP
 .BR charon.plugins.eap-ttls.max_message_count " [32]"
 Maximum number of processed EAP-TTLS packets
 .TP
+.BR charon.plugins.eap-ttls.include_length " [yes]"
+Include length in non-fragmented EAP-TTLS packets
+.TP
 .BR charon.plugins.eap-ttls.phase2_method " [md5]"
 Phase2 EAP client authentication method
 .TP
@@ -382,7 +420,7 @@ Request peer authentication based on a client certificate
 
 .TP
 .BR charon.plugins.ha.remote
- 
+
 .TP
 .BR charon.plugins.ha.resync " [yes]"
 
@@ -425,6 +463,9 @@ TNC IMC configuration directory
 .TP
 .BR charon.plugins.tnc-imv.tnc_config " [/etc/tnc_config]"
 TNC IMV configuration directory
+.TP
+.BR charon.plugins.whitelist.enable " [yes]"
+enable loaded whitelist plugin
 .SS libstrongswan section
 .TP
 .BR libstrongswan.crypto_test.bench " [no]"